Hi,
I'm trying to get the whole bunch of functionality out of this software, but I'm wondering how and if at all possible:
- Local LAN 192.168.30.0/24
- We want access to only certain LAN-IPs based on groups (Check)
- We want 2FA through RADIUS (Check)
- We want remote SoftEther Client to get IP from 10.100.0.0/24, not default LAN through a local bridge, as the client's LAN might also be 192.168.30.0/24 (Check, can do with SecureNAT/DHCP)
- We want SoftEther VPN Server clustered for at least failover functionality (Check, but conflicts with previous SecureNAT)
I can get everything to work as said above here, but as soon as I start clustering ofcourse I don't have SecureNAT/DHCP anymore, and then I don't know how to get it all working anyways (if possible)... That's why I wonder if it's at all possible what we want here. In the absence of SecureNAT/DHCP, I can only do local bridged/external DHCP, which is what we don't want. I tried to create 2 hubs, one local bridged to LAN, one local bridged to another seperate network adapter which has a DHCP for 10.100.0.0/24, then tried to connect the 2 using a L3 Switch, but can't get that to work. Will the above be at all possible? I got it to work porperly without clustering, so maybe that's just the answer of how things are, can't do the above clustered ???
Many thankx in advance for any help resolving this question...
THe whole bunch
-
solo
- Posts: 1615
- Joined: Sun Feb 14, 2021 10:31 am
-
Wizard
- Posts: 27
- Joined: Tue Apr 23, 2024 7:25 pm
Re: THe whole bunch
Agreed, I assume you mean route add on client side ?
I tried that, but still can't get that to work...
What should the route add be ?
I tried route add 192.168.30.0 255.255.255.0 10.100.0.254 metric 50 If 20
(If 20 is VPN adapter)
Then yes, 192.168.30.1 goes over 10.100.0.254 instead of local LAN gateway, but that's it. Still doesn't work...
Do I have the route add wrong perhaps ?
I also tried route add 192.168.30.0 255.255.255.0 192.168.30.201 metric 50 If 20
(If 20 again VPN adapter, 192.168.30.201 being IP from LANBridge, while client comes in on VPNBridge 10.100.0.0/24 with IP 10.100.0.254)
LANBridge and VPNBridge both added to L3 with above IPs... No extra routing added, as the text from L3 say that wouldn't be necessary.
If I understand correctly, L3 is just IP routing, no NAT, eg. forwarding without NAT, while I guess I would also need NAT for this, no (like the VirtualNAT provides) ?
I tried that, but still can't get that to work...
What should the route add be ?
I tried route add 192.168.30.0 255.255.255.0 10.100.0.254 metric 50 If 20
(If 20 is VPN adapter)
Then yes, 192.168.30.1 goes over 10.100.0.254 instead of local LAN gateway, but that's it. Still doesn't work...
Do I have the route add wrong perhaps ?
I also tried route add 192.168.30.0 255.255.255.0 192.168.30.201 metric 50 If 20
(If 20 again VPN adapter, 192.168.30.201 being IP from LANBridge, while client comes in on VPNBridge 10.100.0.0/24 with IP 10.100.0.254)
LANBridge and VPNBridge both added to L3 with above IPs... No extra routing added, as the text from L3 say that wouldn't be necessary.
If I understand correctly, L3 is just IP routing, no NAT, eg. forwarding without NAT, while I guess I would also need NAT for this, no (like the VirtualNAT provides) ?
-
solo
- Posts: 1615
- Joined: Sun Feb 14, 2021 10:31 am
Re: THe whole bunch
Look, in the linked example there is a complete and precise L3 "formula" and all you have to do is adapt it to your subnets. There is nothing new in your net topology and I have no intention of doing it for you. That said, to get you started note that "route add 192.168.30.0 255.255.255.0 192.168.30.201" makes no sense whatsoever, no matter how you slice it.
-
Wizard
- Posts: 27
- Joined: Tue Apr 23, 2024 7:25 pm
Re: THe whole bunch
I think I understood your hint :-)
Another small question though:
I've got a VM with VPN Server, 2 NICs, 1 is LAN 192.168.30.198/24, 2nd NIC is 10.0.0.253/24 spoofing enabled, DHCP 10.0.0.1-10.0.0.200.
LANBridge on LAN NIC
VPNBridge where clients connect to on 2nd VPN NIC.
L3 as said before with 192.168.30.201 on LANBridge, 10.0.0.254 on VPNBridge, no extra routes defined
So clients get an IP from DHCP. However though, from connected until the client gets an IP takes something like 60-120 seconds ? Is there perhaps an explanation for this long time ? I mean, it does work, just takes a long time after connecting before things start working ? Is this expected behavior or could it somehow be refined to shorten that time ?
Seems I can answer that myself:
If you use multiple TCP connections, then use Half Duplex, DHCP takes this long. Half duplex off, and DHCP is nearly instant... ? By Design... ?
Another small question though:
I've got a VM with VPN Server, 2 NICs, 1 is LAN 192.168.30.198/24, 2nd NIC is 10.0.0.253/24 spoofing enabled, DHCP 10.0.0.1-10.0.0.200.
LANBridge on LAN NIC
VPNBridge where clients connect to on 2nd VPN NIC.
L3 as said before with 192.168.30.201 on LANBridge, 10.0.0.254 on VPNBridge, no extra routes defined
So clients get an IP from DHCP. However though, from connected until the client gets an IP takes something like 60-120 seconds ? Is there perhaps an explanation for this long time ? I mean, it does work, just takes a long time after connecting before things start working ? Is this expected behavior or could it somehow be refined to shorten that time ?
Seems I can answer that myself:
If you use multiple TCP connections, then use Half Duplex, DHCP takes this long. Half duplex off, and DHCP is nearly instant... ? By Design... ?
-
solo
- Posts: 1615
- Joined: Sun Feb 14, 2021 10:31 am
-
Wizard
- Posts: 27
- Joined: Tue Apr 23, 2024 7:25 pm
Re: THe whole bunch
2 tiny questions I can't find anything on in the Docs about Clustering:
1) Using a Cluster controller, either only as Controller or as Controller + Server, does this mean that If I shut this Controller down, VPNs connected
to members stay connected, but VPNs that were on Controller will not reconnect (as there's no controller to decide where to connect ?),
making such a controller single point of failure, or would one of remaining members promote itself to Controller in such a case ?
2) Similar question about L3 Switch. You define it on first server (Controller), and according to docs don't need to add another on members (Which
indeed wouldn't make much sense, cause they would be using different IPs for the Virtual Interfaces). Since then there's only one L3 in the entire
system, again, if I shut down that one (Controller) the whole routing would stop for all connected clients, as there's no L3 in the system anymore,
making the L3 thus single point of failure ? Or again, like the Controller Function, would it continue on a member-server ?
Combined:
If you thus combine Clustering and L3, you still have single point of failure if you shut down the Controller/L3...?
I'm trying to use Clustering to have extra redundancy/fault tolerance, but because I do require and L3 for the wanted setup (See above posts), it seems no use for my case (want clustering for fault tolerance, not heavy load balancing) ?
1) Using a Cluster controller, either only as Controller or as Controller + Server, does this mean that If I shut this Controller down, VPNs connected
to members stay connected, but VPNs that were on Controller will not reconnect (as there's no controller to decide where to connect ?),
making such a controller single point of failure, or would one of remaining members promote itself to Controller in such a case ?
2) Similar question about L3 Switch. You define it on first server (Controller), and according to docs don't need to add another on members (Which
indeed wouldn't make much sense, cause they would be using different IPs for the Virtual Interfaces). Since then there's only one L3 in the entire
system, again, if I shut down that one (Controller) the whole routing would stop for all connected clients, as there's no L3 in the system anymore,
making the L3 thus single point of failure ? Or again, like the Controller Function, would it continue on a member-server ?
Combined:
If you thus combine Clustering and L3, you still have single point of failure if you shut down the Controller/L3...?
I'm trying to use Clustering to have extra redundancy/fault tolerance, but because I do require and L3 for the wanted setup (See above posts), it seems no use for my case (want clustering for fault tolerance, not heavy load balancing) ?
-
Wizard
- Posts: 27
- Joined: Tue Apr 23, 2024 7:25 pm
Re: The whole bunch
3 more things:
Clustering:
1) Shutdown Controller, single point of failure (?), as new connections cannot be made since the controller which balances them is down ?
2) Shutdown Controller with L3, single point of failure (?), as there's only one L3 running on Controller which is down, this then also meaning
any routing for all connected clients stops which would be really bad ?
3) Using this routing principle as in above example setup, thus LAN bridged, 2nd NIC 10.0.0.0/24 subnet bridged, connected through L3, RDP doesn't
seem to work. Error I consistently get: Error 0x3000008
I suspect this has something to do with MTU ? I know RDP is MTU sensitive from experience through some VPNs. Is there any way I could check/debug
this to solve this ?
Clustering:
1) Shutdown Controller, single point of failure (?), as new connections cannot be made since the controller which balances them is down ?
2) Shutdown Controller with L3, single point of failure (?), as there's only one L3 running on Controller which is down, this then also meaning
any routing for all connected clients stops which would be really bad ?
3) Using this routing principle as in above example setup, thus LAN bridged, 2nd NIC 10.0.0.0/24 subnet bridged, connected through L3, RDP doesn't
seem to work. Error I consistently get: Error 0x3000008
I suspect this has something to do with MTU ? I know RDP is MTU sensitive from experience through some VPNs. Is there any way I could check/debug
this to solve this ?
-
solo
- Posts: 1615
- Joined: Sun Feb 14, 2021 10:31 am
Re: The whole bunch
It works for me.
Code: Select all
VPN Server>RouterList
RouterList command - Get List of Virtual Layer 3 Switches
Layer 3 Switch Name|Running Status |Interfaces|Routing Tables
-------------------+---------------+----------+--------------
L3TEST |Start (Running)| 2| 0
VPN Server>RouterIfList L3TEST
RouterIfList command - Get List of Interfaces Registered on the Virtual Layer 3
Switch
IP Address |Subnet Mask |Virtual Hub Name
-------------+-------------+----------------
192.168.0.254|255.255.255.0|L3V
10.0.9.254 |255.255.255.0|L3H
tracert 192.168.0.3
Tracing route to 192.168.0.3 over a maximum of 30 hops
1 28 ms 32 ms 26 ms 10.0.9.254
2 34 ms 52 ms 30 ms 192.168.0.3
Trace complete.
netstat -anb
Active Connections
TCP 192.168.0.3:3389 10.0.9.9:1045 ESTABLISHED
CryptSvc
As for these "single point of failure" considerations, yeah...
...like "redundancy/fault tolerance".The SoftEther VPN Server clustering function is designed and implemented to create the following two types of networks or a single network combining both. It is not designed or implemented for any other purposes...
-
Wizard
- Posts: 27
- Joined: Tue Apr 23, 2024 7:25 pm
Re: THe whole bunch
Just getting to know the software :-)
It's no issue, as we would run the controller with L3 as VM on a Cluster anyways... So would still be redundant that way.
As for the RDP, fixed that, works now.
Redone the entire setup, now 3 VMs, 1 controller only/L3, 2 members. Works like a charm...
One last question.
I put up a new 4096 bits cert. on controller. That works. I noticed the members had their own 2048 bits cert. Then, when I connect client and tell it to verify cert. I get the cert. from controller (that's where I connect), but then it continues selecting a member to connect to, and then no more cert. checking is done ? If I put new 4096 certs. on the members client cannot connect anymore. If I create new certs. on members based on root (controller cert.) it doesn't work either. Are there some special requirements for member-certs to be kept in mind ? From my testing, needs to be 2048 bits, and CN=<servername> as a minimum ?
It's no issue, as we would run the controller with L3 as VM on a Cluster anyways... So would still be redundant that way.
As for the RDP, fixed that, works now.
Redone the entire setup, now 3 VMs, 1 controller only/L3, 2 members. Works like a charm...
One last question.
I put up a new 4096 bits cert. on controller. That works. I noticed the members had their own 2048 bits cert. Then, when I connect client and tell it to verify cert. I get the cert. from controller (that's where I connect), but then it continues selecting a member to connect to, and then no more cert. checking is done ? If I put new 4096 certs. on the members client cannot connect anymore. If I create new certs. on members based on root (controller cert.) it doesn't work either. Are there some special requirements for member-certs to be kept in mind ? From my testing, needs to be 2048 bits, and CN=<servername> as a minimum ?
-
solo
- Posts: 1615
- Joined: Sun Feb 14, 2021 10:31 am
Re: THe whole bunch
Try Developer Edition or report it here https://github.com/SoftEtherVPN/SoftEtherVPN/issues
-
Wizard
- Posts: 27
- Joined: Tue Apr 23, 2024 7:25 pm
Re: The whole bunch
Well, I meant more like:
When you start a new cluster setup the members will have a freshly created cert. but what happens when that cert. it uses expires ?
Will it automatically generate a new one or will the admin have to manually do that ?
When you start a new cluster setup the members will have a freshly created cert. but what happens when that cert. it uses expires ?
Will it automatically generate a new one or will the admin have to manually do that ?
-
solo
- Posts: 1615
- Joined: Sun Feb 14, 2021 10:31 am
Re: THe whole bunch
In around 10 years click on "new" certificate for the server and don't worry about cluster members.